Exciting News! Passkeys are Now Available in Microsoft Entra ID. Ten years ago, Microsoft tried to build a world without passwords. On World Password Day, Microsoft shares its progress toward making this a reality every year.
On May 2nd, 2024, Microsoft was excited to announce that Microsoft consumer accounts now support passkeys. This is a big step forward in their goal of making it easy and safe for everyone to access their accounts. Passkeys are super secure keys that make logging in simple and safe.
A passkey is a super intense way to log in to websites and apps that use the latest security standard called W3C WebAuthN. It is a unique key that keeps your accounts safe from phishing attacks. Passkeys are part of the FIDO2 standard, which is all about getting rid of passwords.
There are some requirements for adding a passkey. The requirements include Microsoft Entra multifactor authentication (MFA). This is a way to confirm that it’s you when you log in. It adds an extra layer of security. Android 14 or iOS 17 and later and an active internet connection.
- What is the Face Check Feature in Entra
- List of Entra ID Ignite 2023 Sessions
- How to Create and Use Passkeys in Windows
- Auto Rollout of Conditional Access Policy from Microsoft Entra ID Coming Soon
- Microsoft Entra ID Sync Delays to Microsoft 365 Services
- Create Windows 11 23H2 Entra ID Device Group | Azure AD
What are the Benefits of Passkeys
Passkeys provide high-security assurance through public-private key cryptography and direct user interaction. Passkeys offer significant benefits, including “Verifier Impersonation Resistance”.
1. URL-Specific—When you create a passkey, it’s linked to the specific website you’re using it for. So, it only works on that website.
2. Device-Specific—Passkeys only work on the device they’re set up on. If you try to use them on another device, they won’t work. This keeps your information safe even if someone else gets your passkey.
3. User-Specific – You must prove it’s you when you physically use a passkey.
Passkeys Now Available in Microsoft Entra ID
There is no need to remember complicated passwords anymore. Passkeys are your digital keys to unlock your accounts, and they’re set to replace passwords someday soon.
Read more about Entra – Free Entra Training Videos | Start Learning Entra ID Azure AD
Note! To use a passkey with Microsoft Authenticator, users must ensure they have the latest version of the app installed on their Android or iOS device.
Hosting Passkeys on Various Devices
Passkeys can be hosted on devices like dedicated hardware security keys, phones, tablets, and laptops. Dedicated Hardware Security Keys – These are special, like FIDO2 security keys. Insert them into a USB port or tap them on an NFC scanner. Then, you’ll need to confirm with a PIN or biometric verification.
User Devices (Phones, Tablets, PCs) – Windows 10/11, iOS 17, and Android 14 support passkeys. You can store the passkey directly on your device or connect to another nearby device or security key with the passkey. This can be done via Bluetooth, NFC, or USB connection.
Signing in with Passkeys
If you signin to On User Devices, you can scan your face, use your fingerprint, or enter your device PIN. If you’re signing in on a different device, like a new phone or PC, you can use your passkey with your biometric data or PIN. Point the device’s camera hosting your passkey at the QR code displayed on the separate device.
- Restrict Azure AD (Entra) Tenant Creation for Users
- Assign Entra ID Roles to Entra Groups for Effective Role Based Access Control
- New Entra ID Audit Logs | MicrosoftGraphActivityLogs | EnrichedOffice365AuditLogs
- Entra ID SSPR Self-Service Password Reset Guide
Types of Passkeys – Device-bound vs Syncable
There are 2 types of passkeys available: device-bound and syncable. Both are explained below in detail. The below table helps you to show the comparison between the 2 passkeys.
If security is the top priority, go for a device-bound passkey. But if you want something secure but easier to manage and move around, a syncable passkey is the way to go.
- Device-bound Passkey – This secure passkey stays locked to one device. So, if you use a unique USB key or facial recognition to log into your device, that’s a device-bound passkey.
- Syncable Passkey—Now, this one is more flexible. You can back it up and restore it. So, imagine you have a passkey for logging into your accounts, and you can save it somewhere safe, like in the cloud. If you switch to a new device, you can grab your passkey from the backup and use it there. There is no need to set up a new one.
Device-bound | Syncable |
---|---|
Device-bound passkeys are Super secure because they stay on one device | Syncable passkeys are secure but can be moved around |
Device-bound passkeys can be expensive and difficult if you lose or break your device | Syncable passkeys are easier to manage and can be used across devices. |
Device-bound passkeys are less flexible because they’re stuck to one device | Syncable passkeys are more flexible because you can move them around and back them up. |
Using Device-bound Passkeys in Microsoft Authenticator
Some organizations, especially those under strict regulations, must use device-bound passkeys to sign in to Microsoft Entra. These passkeys stay on the device and can’t be moved or backed up, ensuring high security. However, Microsoft offers a new option to meet these needs while keeping the process user-friendly.
Advantages of Hosting Passkeys on a User Device
Let’s discuss the advantages of hosting passkeys on a user device. The list below helps you see these advantages.
- Device-bound passkeys in Microsoft Authenticator are hosted on user devices like smartphones, so there is no need for dedicated hardware.
- Most people keep their smartphones close; there’s less chance of losing access to the passkey. It will reduce the risk.
- Users can sign in quickly using the passkey on their familiar smartphone.
Employees use Microsoft Authenticator on their phones. The passkey stays on the device and can’t be moved, synced, or backed up. Users can use biometrics, local lock screen PINs, or passwords on their phones to access the passkey.
Resources – Public preview: Expanding passkey support in Microsoft Entra ID – Microsoft Community Hub
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
About the Author: Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing about Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.